coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(openbao-ui): handle OIDC callback without Ember popup flow

Browse Source 
OpenBao's Ember UI expects OIDC to complete in a popup and postMessage to
window.opener. The standalone KeyCape login uses a full-page redirect, so the
callback now exchanges the authorization code directly, persists the UI token
in localStorage, and redirects into the vault UI. Unauthenticated /ui/ loads
also redirect to the standalone login page to avoid ?with= bounce loops.
This commit is contained in:
Bernd Worsch
2026-06-19 21:18:34 +02:00
parent 520c7ea2c0
commit 50799938db
8 changed files with 205 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/openbao.md
View File

@@ -342,7 +342,9 @@ The gateway serves a standalone KeyCape login page at `/ui/vault/auth` so Ember
never handles the bare auth route (avoids `?with=token` / `?with=netkingdom/`
bounce when OIDC mounts are hidden from the unauthenticated listing). Clicking
**Sign in with KeyCape** calls `auth_url` and redirects to KeyCape directly.
OIDC callbacks under `/ui/vault/auth/<mount>/oidc/` still proxy to the OpenBao UI.
OIDC callbacks under `/ui/vault/auth/<mount>/oidc/callback` are handled by a
standalone page that exchanges the authorization code, stores the UI session
token, and redirects into the Ember app (no popup/`window.opener` flow).
The OpenBao UI redirects the browser to KeyCape at `kc.coulomb.social`, then
returns to: